https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022013-01-13T06:12:35ZOpen Information Security FoundationSuricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=26972013-01-13T06:12:35ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul><li><strong>Assignee</strong> set to <i>Anoop Saldanha</i></li></ul> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=27142013-01-15T09:28:30ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>would the above set of rules work? As in sig 7 will be run for every packet heading in the port 80 direction, which means all the syn retransmissions as well, which is why you are seeing alerts for 80-http.pcap as well. You can see a fair bit of FPs.</p>
<p>Unable to reproduce the single vs autofp thing you are noticing. See an alert. I have an update to the engine, which might be a fix, but single vs autofp in this case should virtually be the same thing. Let me check in some detail next.</p>
<p>On an unrelated note, we should probably support</p>
<p>alert !<protocol> ....</p>
<p>which should be more reliable.</p> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=27152013-01-15T12:12:10ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>unable to reproduce single vs autofp thing.</p>
<p>Btw, a feature update patch related to the code corresponding to the bug(but not related to the bug itself).</p>
<p><a class="external" href="https://github.com/inliniac/suricata/pull/253">https://github.com/inliniac/suricata/pull/253</a></p> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=35782013-10-26T10:21:13ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=72872016-09-06T16:59:31ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>I can reproduce it but in the first case I receive</p>
<pre>
6/9/2016 -- 23:57:31 - <Warning> - [ERRCODE: SC_ERR_INVALID_CHECKSUM(11)] - 1/1th of packets have an invalid checksum, consider setting pcap-file.checksum-checks variable to no or use '-k none' option on command line.
</pre>
<p>So when I start it with "-k none" the alert won't trigger. So still a bug or working as expected in that case?</p> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=73742016-09-08T15:27:06ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> changed from <i>Anoop Saldanha</i> to <i>OISF Dev</i></li></ul> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=97612018-05-30T08:11:19ZVictor Julienvictor@inliniac.net
<ul></ul><p>Without -k none the stream engine rejects the packets and packets are inspected differently. In the normal case they are inspected after reassembly, so a bit later.</p> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=129372019-07-10T21:27:57ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>So with -k none the alert should trigger, right?</p> Suricata - Bug #708: Flow vars issue in pcap file modehttps://redmine.openinfosecfoundation.org/issues/708?journal_id=292972023-07-21T07:41:42ZPhilippe Antoine
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>The official way to do this is <code>alert tcp any any -> any 80 (msg:"non-HTTP traffic over HTTP standard port"; flow:to_server; app-layer-protocol:!http; sid:1;)</code> as tested by S-V test detect-app-layer-protocol-01</p>